Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 98aa585d7ea2e53740579e88d5a8506c8a4220aa
https://github.com/WebKit/WebKit/commit/98aa585d7ea2e53740579e88d5a8506c8a4220aa
Author: Chris Dumez <[email protected]>
Date: 2025-12-06 (Sat, 06 Dec 2025)
Changed paths:
M Source/WTF/wtf/MetaAllocator.cpp
M Source/WTF/wtf/MetaAllocator.h
Log Message:
-----------
Update MetaAllocator::freeFreeSpaceNode() to call the FreeSpaceNode destructor
https://bugs.webkit.org/show_bug.cgi?id=303519
Reviewed by Geoffrey Garen.
Override `operator delete` for FreeSpaceNode to call
MetaAllocatorFreeSpaceMalloc::free()
to free the memory and add logic to deal with CheckedPtrs so we can actually
guard against
use-after-free. It also makes sure to call the FreeSpaceNode destructor before
freeing the
memory since FreeSpaceNode subclasses CanMakeThreadSafeCheckedPtr and it is
important for
its destructor to run in order to get security benefits.
Also override `operator new` to call `MetaAllocatorFreeSpaceMalloc::malloc()`
from consistency.
Finally, address the crashes found by the steps above.
* Source/WTF/wtf/MetaAllocator.cpp:
(WTF::MetaAllocator::~MetaAllocator):
(WTF::MetaAllocator::addFreeSpace):
(WTF::MetaAllocator::allocFreeSpaceNode):
(WTF::MetaAllocator::freeFreeSpaceNode):
* Source/WTF/wtf/MetaAllocator.h:
Canonical link: https://commits.webkit.org/304051@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
